A recent examination by researchers has revealed an alarming increase in the propagation of banking malware via the misuse of the Google Cloud Run Service. Furthermore, there are signs indicating that the issue is already extending beyond its origins in Latin America.
Google Cloud Run is a paid service that allows administrators to build upon and deploy additional applications and services to Google Cloud from a single platform.
Cisco Talos researchers have noted a rise in campaigns from September 2023 abusing Google Cloud Run to disseminate banking Trojans such as the Astaroth, Mekiotio, and Ousaban strains. The researchers also added that there is evidence indicating that at least some of the campaigns are interconnected due to overlapping time frames, storage buckets, and distribution tactics, techniques, and procedures (TTPs).
Aside from the significant increase in the total number of malicious emails, the researchers have observed that the campaign, which initially targeted Latin America, has begun to encroach into Europe and North America. Although most of the phishing emails were originally written in Spanish, the researchers have also noted that a considerable number of them were composed in Italian.
The Astaroth variant, by itself, has been observed to be targeting over 300 institutions across 15 countries in Latin America, with the majority of the emails being sent from Brazil.
The cyberattack begins with the distribution of an email. “In most cases, these emails are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted,” the Cisco Talos report stated. “In [one example], the email purports to be from Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina, a country frequently targeted by recent malspam campaigns.”
The emails contain malicious links that direct recipients to threat actor controlled Cloud Run Web services. In many cases, the Trojan was delivered with a malicious Microsoft Installer directly from the adversarial Google Cloud Run Web service.
“It is worth noting that attackers are deploying cloaking mechanisms to avoid detection,” the Cisco Talos team explained. “One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected.”
The report provides indicators of compromise and mitigation advice. These findings suggest that the spread of banking malware through Google Cloud Run is a significant and evolving problem that poses a threat to users not only in Latin America, but also in Europe and North America. It is important for organizations and users alike to remain vigilant and ensure that their systems are protected against such malicious attacks.